Data & Privacy News - 20 May 2020

Data Download webinar on Tuesday 26 May

Join our Data Management Team on Tuesday 26 May at Midday to hear what they have seen since the GDPR came into force on 25 May 2018. They will share their frank views on practice from experience and what could be on the horizon for data protection practice.

A must attend event for anyone with an interest in data protection in their business. Sign up here with Zoom.

Latest ICO updates

The ICO has published guidance for employers on workplace testing for coronavirus, with some sectors returning to work. If you would like advice or an action plan creating from a data protection perspective, please get in touch.

The ICO are also reviewing the Data Protection Impact Assessment (DPIA's) for the NHSX's trial of its contact tracing app in the Isle of Wight and will provide feedback as soon as possible. DPIAs are used by organisations to identify, address and minimise data protection risks of potential projects.

ECJ to deliver judgment in Schrems II case on 16 July 2020

The European Court of Justice (ECJ) has announced that it will deliver its judgment in the Schrems II case on 16 July 2020.

The judgment will determine the validity of model clauses (officially known as standard contractual clauses (SCCs)) as a mechanism for transferring personal data from the EEA to third countries under the GDPR. It is anticipated that further insight will also be given on the validity of the US Privacy Shield regime.

In December 2019, the CJEU's Advocate General released its non-binding opinion, stating that SCCs remain a valid way in which to transfer personal data outside of the EEA. Although the Advocate General's opinion is followed by the CJEU in almost all cases, there is no requirement for the CJEU to do so.

EDPB guidance states cookie walls do not constitute valid consent

Under new consent guidance adopted by the European Data Protection Board (EDPB), it has been confirmed that cookie walls will not constitute valid consent, as access to the website (and the provision of services) is dependent on accepting the cookies and therefore not freely given. Further, scrolling or swiping through a website will not constitute valid consent. Under this guidance, implied consent to cookies will not meet the unambiguous and affirmative indication requirement of GDPR consent.

In this guidance, the EDPB has retained the majority of the previous consent guidance issued by the Article 29 Working Party, notably updating the case study example 16 on scrolling and consent.